def setUpModule(self): signing_path = CMSDIR with open(os.path.join(signing_path, 'auth_token_scoped.pem')) as f: self.SIGNED_TOKEN_SCOPED = cms.cms_to_token(f.read()) with open(os.path.join(signing_path, 'auth_token_unscoped.pem')) as f: self.SIGNED_TOKEN_UNSCOPED = cms.cms_to_token(f.read()) with open(os.path.join(signing_path, 'auth_token_revoked.pem')) as f: self.REVOKED_TOKEN = cms.cms_to_token(f.read()) self.REVOKED_TOKEN_HASH = utils.hash_signed_token(self.REVOKED_TOKEN) with open(os.path.join(signing_path, 'revocation_list.json')) as f: self.REVOCATION_LIST = jsonutils.loads(f.read()) with open(os.path.join(signing_path, 'revocation_list.pem')) as f: self.VALID_SIGNED_REVOCATION_LIST = jsonutils.dumps( {'signed': f.read()}) self.SIGNED_TOKEN_SCOPED_KEY =\ cms.cms_hash_token(self.SIGNED_TOKEN_SCOPED) self.SIGNED_TOKEN_UNSCOPED_KEY =\ cms.cms_hash_token(self.SIGNED_TOKEN_UNSCOPED) self.TOKEN_RESPONSES[self.SIGNED_TOKEN_SCOPED_KEY] = { 'access': { 'token': { 'id': self.SIGNED_TOKEN_SCOPED_KEY, }, 'user': { 'id': 'user_id1', 'name': 'user_name1', 'tenantId': 'tenant_id1', 'tenantName': 'tenant_name1', 'roles': [ { 'name': 'role1' }, { 'name': 'role2' }, ], }, }, } self.TOKEN_RESPONSES[SIGNED_TOKEN_UNSCOPED_KEY] = { 'access': { 'token': { 'id': SIGNED_TOKEN_UNSCOPED_KEY, }, 'user': { 'id': 'user_id1', 'name': 'user_name1', 'roles': [ { 'name': 'role1' }, { 'name': 'role2' }, ], }, }, },
def test_cms_hash_token_default_md5(self): """The default hash method is md5.""" token = self.examples.SIGNED_TOKEN_SCOPED token_id_default = cms.cms_hash_token(token) token_id_md5 = cms.cms_hash_token(token, mode='md5') self.assertThat(token_id_default, matchers.Equals(token_id_md5)) # md5 hash is 32 chars. self.assertThat(token_id_default, matchers.HasLength(32))
def setUpModule(self): signing_path = CMSDIR with open(os.path.join(signing_path, "auth_token_scoped.pem")) as f: self.SIGNED_TOKEN_SCOPED = cms.cms_to_token(f.read()) with open(os.path.join(signing_path, "auth_token_unscoped.pem")) as f: self.SIGNED_TOKEN_UNSCOPED = cms.cms_to_token(f.read()) with open(os.path.join(signing_path, "auth_v3_token_scoped.pem")) as f: self.SIGNED_v3_TOKEN_SCOPED = cms.cms_to_token(f.read()) with open(os.path.join(signing_path, "auth_token_revoked.pem")) as f: self.REVOKED_TOKEN = cms.cms_to_token(f.read()) self.REVOKED_TOKEN_HASH = utils.hash_signed_token(self.REVOKED_TOKEN) with open(os.path.join(signing_path, "auth_v3_token_revoked.pem")) as f: self.REVOKED_v3_TOKEN = cms.cms_to_token(f.read()) self.REVOKED_v3_TOKEN_HASH = utils.hash_signed_token(self.REVOKED_v3_TOKEN) with open(os.path.join(signing_path, "revocation_list.json")) as f: self.REVOCATION_LIST = jsonutils.loads(f.read()) with open(os.path.join(signing_path, "revocation_list.pem")) as f: self.VALID_SIGNED_REVOCATION_LIST = jsonutils.dumps({"signed": f.read()}) self.SIGNED_TOKEN_SCOPED_KEY = cms.cms_hash_token(self.SIGNED_TOKEN_SCOPED) self.SIGNED_TOKEN_UNSCOPED_KEY = cms.cms_hash_token(self.SIGNED_TOKEN_UNSCOPED) self.SIGNED_v3_TOKEN_SCOPED_KEY = cms.cms_hash_token(self.SIGNED_v3_TOKEN_SCOPED) self.TOKEN_RESPONSES[self.SIGNED_TOKEN_SCOPED_KEY] = { "access": { "token": {"id": self.SIGNED_TOKEN_SCOPED_KEY}, "user": { "id": "user_id1", "name": "user_name1", "tenantId": "tenant_id1", "tenantName": "tenant_name1", "roles": [{"name": "role1"}, {"name": "role2"}], }, } } self.TOKEN_RESPONSES[SIGNED_TOKEN_UNSCOPED_KEY] = ( { "access": { "token": {"id": SIGNED_TOKEN_UNSCOPED_KEY}, "user": {"id": "user_id1", "name": "user_name1", "roles": [{"name": "role1"}, {"name": "role2"}]}, } }, ) self.TOKEN_RESPONSES[self.SIGNED_v3_TOKEN_SCOPED_KEY] = { "token": { "expires": "2999-01-01T00:00:10Z", "user": {"id": "user_id1", "name": "user_name1", "domain": {"id": "domain_id1", "name": "domain_name1"}}, "project": { "id": "tenant_id1", "name": "tenant_name1", "domain": {"id": "domain_id1", "name": "domain_name1"}, }, "roles": [{"name": "role1"}, {"name": "role2"}], "catalog": {}, } }
def setUpModule(self): signing_path = CMSDIR with open(os.path.join(signing_path, 'auth_token_scoped.pem')) as f: self.SIGNED_TOKEN_SCOPED = cms.cms_to_token(f.read()) with open(os.path.join(signing_path, 'auth_token_unscoped.pem')) as f: self.SIGNED_TOKEN_UNSCOPED = cms.cms_to_token(f.read()) with open(os.path.join(signing_path, 'auth_token_revoked.pem')) as f: self.REVOKED_TOKEN = cms.cms_to_token(f.read()) self.REVOKED_TOKEN_HASH = utils.hash_signed_token(self.REVOKED_TOKEN) with open(os.path.join(signing_path, 'revocation_list.json')) as f: self.REVOCATION_LIST = jsonutils.loads(f.read()) with open(os.path.join(signing_path, 'revocation_list.pem')) as f: self.VALID_SIGNED_REVOCATION_LIST = jsonutils.dumps( {'signed': f.read()}) self.SIGNED_TOKEN_SCOPED_KEY =\ cms.cms_hash_token(self.SIGNED_TOKEN_SCOPED) self.SIGNED_TOKEN_UNSCOPED_KEY =\ cms.cms_hash_token(self.SIGNED_TOKEN_UNSCOPED) self.TOKEN_RESPONSES[self.SIGNED_TOKEN_SCOPED_KEY] = { 'access': { 'token': { 'id': self.SIGNED_TOKEN_SCOPED_KEY, }, 'user': { 'id': 'user_id1', 'name': 'user_name1', 'tenantId': 'tenant_id1', 'tenantName': 'tenant_name1', 'roles': [ {'name': 'role1'}, {'name': 'role2'}, ], }, }, } self.TOKEN_RESPONSES[SIGNED_TOKEN_UNSCOPED_KEY] = { 'access': { 'token': { 'id': SIGNED_TOKEN_UNSCOPED_KEY, }, 'user': { 'id': 'user_id1', 'name': 'user_name1', 'roles': [ {'name': 'role1'}, {'name': 'role2'}, ], }, }, },
def _validate_user_token(self, user_token, retry=True): """Authenticate user using PKI :param user_token: user's token id :param retry: Ignored, as it is not longer relevant :return uncrypted body of the token if the token is valid :raise InvalidUserToken if token is rejected :no longer raises ServiceError since it no longer makes RPC """ try: token_id = cms.cms_hash_token(user_token) cached = self._cache_get(token_id) if cached: return cached if cms.is_ans1_token(user_token): verified = self.verify_signed_token(user_token) data = json.loads(verified) else: data = self.verify_uuid_token(user_token, retry) self._cache_put(token_id, data) return data except Exception as e: self.LOG.debug('Token validation failure.', exc_info=True) self._cache_store_invalid(user_token) self.LOG.warn("Authorization failed for token %s", user_token) raise InvalidUserToken('Token authorization failed')
def get(self, user_token): """Check if the token is cached already. Returns a tuple. The first element is a list of token IDs, where the first one is the preferred hash. The second element is the token data from the cache if the token was cached, otherwise ``None``. :raises exc.InvalidToken: if the token is invalid """ if cms.is_asn1_token(user_token) or cms.is_pkiz(user_token): # user_token is a PKI token that's not hashed. token_hashes = list(cms.cms_hash_token(user_token, mode=algo) for algo in self._hash_algorithms) for token_hash in token_hashes: cached = self._cache_get(token_hash) if cached: return (token_hashes, cached) # The token wasn't found using any hash algorithm. return (token_hashes, None) # user_token is either a UUID token or a hashed PKI token. token_id = user_token cached = self._cache_get(token_id) return ([token_id], cached)
def get(self, user_token): """Check if the token is cached already. Returns a tuple. The first element is a list of token IDs, where the first one is the preferred hash. The second element is the token data from the cache if the token was cached, otherwise ``None``. :raises exc.InvalidToken: if the token is invalid """ if cms.is_asn1_token(user_token) or cms.is_pkiz(user_token): # user_token is a PKI token that's not hashed. token_hashes = list( cms.cms_hash_token(user_token, mode=algo) for algo in self._hash_algorithms) for token_hash in token_hashes: cached = self._cache_get(token_hash) if cached: return (token_hashes, cached) # The token wasn't found using any hash algorithm. return (token_hashes, None) # user_token is either a UUID token or a hashed PKI token. token_id = user_token cached = self._cache_get(token_id) return ([token_id], cached)
def _validate_user_token(self, user_token, retry=True): """Authenticate user using PKI :param user_token: user's token id :param retry: Ignored, as it is not longer relevant :return uncrypted body of the token if the token is valid :raise InvalidUserToken if token is rejected :no longer raises ServiceError since it no longer makes RPC """ token_id = None try: token_id = cms.cms_hash_token(user_token) cached = self._cache_get(token_id) if cached: return cached if cms.is_ans1_token(user_token): verified = self.verify_signed_token(user_token) data = jsonutils.loads(verified) else: data = self.verify_uuid_token(user_token, retry) expires = confirm_token_not_expired(data) self._cache_put(token_id, data, expires) return data except NetworkError: self.LOG.debug('Token validation failure.', exc_info=True) self.LOG.warn("Authorization failed for token %s", token_id) raise InvalidUserToken('Token authorization failed') except Exception: self.LOG.debug('Token validation failure.', exc_info=True) if token_id: self._cache_store_invalid(token_id) self.LOG.warn("Authorization failed for token %s", token_id) raise InvalidUserToken('Token authorization failed')
def test_fetch_revocation_list_md5(self): """If the server is configured for md5, then the revocation list has tokens hashed with MD5. """ # The default hash algorithm is md5. hash_algorithm = 'md5' (data, token) = self._fetch_parse_revocation_list() token_hash = cms.cms_hash_token(token, mode=hash_algorithm) self.assertThat(token_hash, matchers.Equals(data['revoked'][0]['id']))
def generate_unique_id(token_id): """Return a unique ID for a token. The returned value is useful as the primary key of a database table, memcache store, or other lookup table. :returns: Given a PKI token, returns it's hashed value. Otherwise, returns the passed-in value (such as a UUID token ID or an existing hash). """ return cms.cms_hash_token(token_id, mode=cfg.CONF.token.hash_algorithm)
def test_fetch_revocation_list_sha256(self): """If the server is configured for sha256, then the revocation list has tokens hashed with SHA256 """ hash_algorithm = "sha256" self.config_fixture.config(group="token", hash_algorithm=hash_algorithm) (data, token) = self._fetch_parse_revocation_list() token_hash = cms.cms_hash_token(token, mode=hash_algorithm) self.assertThat(token_hash, matchers.Equals(data["revoked"][0]["id"]))
def unique_id(self, token_id): """Return a unique ID for a token. The returned value is useful as the primary key of a database table, memcache store, or other lookup table. :returns: Given a PKI token, returns it's hashed value. Otherwise, returns the passed-in value (such as a UUID token ID or an existing hash). """ return cms.cms_hash_token(token_id, mode=CONF.token.hash_algorithm)
def test_fetch_revocation_list_sha256(self): """If the server is configured for sha256, then the revocation list has tokens hashed with SHA256 """ hash_algorithm = 'sha256' self.config_fixture.config(group='token', hash_algorithm=hash_algorithm) (data, token) = self._fetch_parse_revocation_list() token_hash = cms.cms_hash_token(token, mode=hash_algorithm) self.assertThat(token_hash, matchers.Equals(data['revoked'][0]['id']))
def __init__(self, token_id, token_data): self.token_data = token_data self.token_id = token_id try: super(KeystoneToken, self).__init__(**token_data['token']) except KeyError: raise exception.UnsupportedTokenVersionException() self.short_id = cms.cms_hash_token(token_id, mode=CONF.token.hash_algorithm) if self.project_scoped and self.domain_scoped: raise exception.UnexpectedError(_('Found invalid token: scoped to ' 'both project and domain.'))
def _token_hashes(self, token): """Generate a list of hashes that the current token may be cached as. The first element of this list is the preferred algorithm and is what new cache values should be saved as. :param str token: The token being presented by a user. :returns: list of str token hashes. """ if cms.is_asn1_token(token) or cms.is_pkiz(token): return list(cms.cms_hash_token(token, mode=algo) for algo in self._hash_algorithms) else: return [token]
def __init__(self, token_id, token_data): self.token_data = token_data if "access" in token_data: super(KeystoneToken, self).__init__(**token_data["access"]) self.version = V2 elif "token" in token_data and "methods" in token_data["token"]: super(KeystoneToken, self).__init__(**token_data["token"]) self.version = V3 else: raise exception.UnsupportedTokenVersionException() self.token_id = token_id self.short_id = cms.cms_hash_token(token_id, mode=CONF.token.hash_algorithm) if self.project_scoped and self.domain_scoped: raise exception.UnexpectedError(_("Found invalid token: scoped to " "both project and domain."))
def __init__(self, token_id, token_data): self.token_data = token_data if 'access' in token_data: super(KeystoneToken, self).__init__(**token_data['access']) self.version = V2 elif 'token' in token_data and 'methods' in token_data['token']: super(KeystoneToken, self).__init__(**token_data['token']) self.version = V3 else: raise exception.UnsupportedTokenVersionException() self.token_id = token_id self.short_id = cms.cms_hash_token(token_id, mode=CONF.token.hash_algorithm) if self.project_scoped and self.domain_scoped: raise exception.UnexpectedError(_('Found invalid token: scoped to ' 'both project and domain.'))
def pkiToUuid(token): return cms.cms_hash_token(token)
def test_cms_hash_token_sha256(self): """Can also hash with sha256.""" token = self.examples.SIGNED_TOKEN_SCOPED token_id = cms.cms_hash_token(token, mode='sha256') # sha256 hash is 64 chars. self.assertThat(token_id, matchers.HasLength(64))
def setUp(self): super(Examples, self).setUp() # The data for several tests are signed using openssl and are stored in # files in the signing subdirectory. In order to keep the values # consistent between the tests and the signed documents, we read them # in for use in the tests. with open(os.path.join(CMSDIR, 'auth_token_scoped.pem')) as f: self.SIGNED_TOKEN_SCOPED = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_token_unscoped.pem')) as f: self.SIGNED_TOKEN_UNSCOPED = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_v3_token_scoped.pem')) as f: self.SIGNED_v3_TOKEN_SCOPED = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_token_revoked.pem')) as f: self.REVOKED_TOKEN = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_token_scoped_expired.pem')) as f: self.SIGNED_TOKEN_SCOPED_EXPIRED = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_v3_token_revoked.pem')) as f: self.REVOKED_v3_TOKEN = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'revocation_list.json')) as f: self.REVOCATION_LIST = jsonutils.loads(f.read()) with open(os.path.join(CMSDIR, 'revocation_list.pem')) as f: self.SIGNED_REVOCATION_LIST = jsonutils.dumps({'signed': f.read()}) self.SIGNING_CERT_FILE = os.path.join(CERTDIR, 'signing_cert.pem') with open(self.SIGNING_CERT_FILE) as f: self.SIGNING_CERT = f.read() self.SIGNING_KEY_FILE = os.path.join(KEYDIR, 'signing_key.pem') with open(self.SIGNING_KEY_FILE) as f: self.SIGNING_KEY = f.read() self.SIGNING_CA_FILE = os.path.join(CERTDIR, 'cacert.pem') with open(self.SIGNING_CA_FILE) as f: self.SIGNING_CA = f.read() self.UUID_TOKEN_DEFAULT = "ec6c0710ec2f471498484c1b53ab4f9d" self.UUID_TOKEN_NO_SERVICE_CATALOG = '8286720fbe4941e69fa8241723bb02df' self.UUID_TOKEN_UNSCOPED = '731f903721c14827be7b2dc912af7776' self.VALID_DIABLO_TOKEN = 'b0cf19b55dbb4f20a6ee18e6c6cf1726' self.v3_UUID_TOKEN_DEFAULT = '5603457654b346fdbb93437bfe76f2f1' self.v3_UUID_TOKEN_UNSCOPED = 'd34835fdaec447e695a0a024d84f8d79' self.v3_UUID_TOKEN_DOMAIN_SCOPED = 'e8a7b63aaa4449f38f0c5c05c3581792' self.REVOKED_TOKEN_HASH = utils.hash_signed_token(self.REVOKED_TOKEN) self.REVOKED_TOKEN_LIST = ( {'revoked': [{'id': self.REVOKED_TOKEN_HASH, 'expires': timeutils.utcnow()}]}) self.REVOKED_TOKEN_LIST_JSON = jsonutils.dumps(self.REVOKED_TOKEN_LIST) self.REVOKED_v3_TOKEN_HASH = utils.hash_signed_token( self.REVOKED_v3_TOKEN) self.REVOKED_v3_TOKEN_LIST = ( {'revoked': [{'id': self.REVOKED_v3_TOKEN_HASH, 'expires': timeutils.utcnow()}]}) self.REVOKED_v3_TOKEN_LIST_JSON = jsonutils.dumps( self.REVOKED_v3_TOKEN_LIST) self.SIGNED_TOKEN_SCOPED_KEY = cms.cms_hash_token( self.SIGNED_TOKEN_SCOPED) self.SIGNED_TOKEN_UNSCOPED_KEY = cms.cms_hash_token( self.SIGNED_TOKEN_UNSCOPED) self.SIGNED_v3_TOKEN_SCOPED_KEY = cms.cms_hash_token( self.SIGNED_v3_TOKEN_SCOPED) self.INVALID_SIGNED_TOKEN = ( "MIIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC" "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD" "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" "0000000000000000000000000000000000000000000000000000000000000000" "1111111111111111111111111111111111111111111111111111111111111111" "2222222222222222222222222222222222222222222222222222222222222222" "3333333333333333333333333333333333333333333333333333333333333333" "4444444444444444444444444444444444444444444444444444444444444444" "5555555555555555555555555555555555555555555555555555555555555555" "6666666666666666666666666666666666666666666666666666666666666666" "7777777777777777777777777777777777777777777777777777777777777777" "8888888888888888888888888888888888888888888888888888888888888888" "9999999999999999999999999999999999999999999999999999999999999999" "0000000000000000000000000000000000000000000000000000000000000000") # JSON responses keyed by token ID self.TOKEN_RESPONSES = { self.UUID_TOKEN_DEFAULT: { 'access': { 'token': { 'id': self.UUID_TOKEN_DEFAULT, 'expires': '2020-01-01T00:00:10.000123Z', 'tenant': { 'id': 'tenant_id1', 'name': 'tenant_name1', }, }, 'user': { 'id': 'user_id1', 'name': 'user_name1', 'roles': [ {'name': 'role1'}, {'name': 'role2'}, ], }, 'serviceCatalog': {} }, }, self.VALID_DIABLO_TOKEN: { 'access': { 'token': { 'id': self.VALID_DIABLO_TOKEN, 'expires': '2020-01-01T00:00:10.000123Z', 'tenantId': 'tenant_id1', }, 'user': { 'id': 'user_id1', 'name': 'user_name1', 'roles': [ {'name': 'role1'}, {'name': 'role2'}, ], }, }, }, self.UUID_TOKEN_UNSCOPED: { 'access': { 'token': { 'id': self.UUID_TOKEN_UNSCOPED, 'expires': '2020-01-01T00:00:10.000123Z', }, 'user': { 'id': 'user_id1', 'name': 'user_name1', 'roles': [ {'name': 'role1'}, {'name': 'role2'}, ], }, }, }, self.UUID_TOKEN_NO_SERVICE_CATALOG: { 'access': { 'token': { 'id': 'valid-token', 'expires': '2020-01-01T00:00:10.000123Z', 'tenant': { 'id': 'tenant_id1', 'name': 'tenant_name1', }, }, 'user': { 'id': 'user_id1', 'name': 'user_name1', 'roles': [ {'name': 'role1'}, {'name': 'role2'}, ], } }, }, self.v3_UUID_TOKEN_DEFAULT: { 'token': { 'expires_at': '2020-01-01T00:00:10.000123Z', 'user': { 'id': 'user_id1', 'name': 'user_name1', 'domain': { 'id': 'domain_id1', 'name': 'domain_name1' } }, 'project': { 'id': 'tenant_id1', 'name': 'tenant_name1', 'domain': { 'id': 'domain_id1', 'name': 'domain_name1' } }, 'roles': [ {'name': 'role1', 'id': 'Role1'}, {'name': 'role2', 'id': 'Role2'}, ], 'catalog': {} } }, self.v3_UUID_TOKEN_UNSCOPED: { 'token': { 'expires_at': '2020-01-01T00:00:10.000123Z', 'user': { 'id': 'user_id1', 'name': 'user_name1', 'domain': { 'id': 'domain_id1', 'name': 'domain_name1' } } } }, self.v3_UUID_TOKEN_DOMAIN_SCOPED: { 'token': { 'expires_at': '2020-01-01T00:00:10.000123Z', 'user': { 'id': 'user_id1', 'name': 'user_name1', 'domain': { 'id': 'domain_id1', 'name': 'domain_name1' } }, 'domain': { 'id': 'domain_id1', 'name': 'domain_name1', }, 'roles': [ {'name': 'role1', 'id': 'Role1'}, {'name': 'role2', 'id': 'Role2'}, ], 'catalog': {} } }, self.SIGNED_TOKEN_SCOPED_KEY: { 'access': { 'token': { 'id': self.SIGNED_TOKEN_SCOPED_KEY, }, 'user': { 'id': 'user_id1', 'name': 'user_name1', 'tenantId': 'tenant_id1', 'tenantName': 'tenant_name1', 'roles': [ {'name': 'role1'}, {'name': 'role2'}, ], }, }, }, self.SIGNED_TOKEN_UNSCOPED_KEY: { 'access': { 'token': { 'id': self.SIGNED_TOKEN_UNSCOPED_KEY, }, 'user': { 'id': 'user_id1', 'name': 'user_name1', 'roles': [ {'name': 'role1'}, {'name': 'role2'}, ], }, }, }, self.SIGNED_v3_TOKEN_SCOPED_KEY: { 'token': { 'expires': '2020-01-01T00:00:10.000123Z', 'user': { 'id': 'user_id1', 'name': 'user_name1', 'domain': { 'id': 'domain_id1', 'name': 'domain_name1' } }, 'project': { 'id': 'tenant_id1', 'name': 'tenant_name1', 'domain': { 'id': 'domain_id1', 'name': 'domain_name1' } }, 'roles': [ {'name': 'role1'}, {'name': 'role2'} ], 'catalog': {} } }, } self.JSON_TOKEN_RESPONSES = dict([(k, jsonutils.dumps(v)) for k, v in six.iteritems(self.TOKEN_RESPONSES)])
def test_cms_hash_token_not_pki(self): """If the token_id is not a PKI token then it returns the token_id.""" token = 'something' self.assertFalse(cms.is_asn1_token(token)) self.assertThat(cms.cms_hash_token(token), matchers.Is(token))
def test_cms_hash_token_no_token_id(self): token_id = None self.assertThat(cms.cms_hash_token(token_id), matchers.Is(None))
'id': REVOKED_TOKEN_HASH, 'expires': timeutils.utcnow() }] } REVOKED_TOKEN_LIST_JSON = jsonutils.dumps(REVOKED_TOKEN_LIST) REVOKED_v3_TOKEN_HASH = utils.hash_signed_token(REVOKED_v3_TOKEN) REVOKED_v3_TOKEN_LIST = { 'revoked': [{ 'id': REVOKED_v3_TOKEN_HASH, 'expires': timeutils.utcnow() }] } REVOKED_v3_TOKEN_LIST_JSON = jsonutils.dumps(REVOKED_v3_TOKEN_LIST) SIGNED_TOKEN_SCOPED_KEY = cms.cms_hash_token(SIGNED_TOKEN_SCOPED) SIGNED_TOKEN_UNSCOPED_KEY = cms.cms_hash_token(SIGNED_TOKEN_UNSCOPED) SIGNED_v3_TOKEN_SCOPED_KEY = cms.cms_hash_token(SIGNED_v3_TOKEN_SCOPED) INVALID_SIGNED_TOKEN = \ "MIIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \ "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" \ "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC" \ "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD" \ "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" \ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" \ "0000000000000000000000000000000000000000000000000000000000000000" \ "1111111111111111111111111111111111111111111111111111111111111111" \ "2222222222222222222222222222222222222222222222222222222222222222" \ "3333333333333333333333333333333333333333333333333333333333333333" \ "4444444444444444444444444444444444444444444444444444444444444444" \
def setUp(self): super(Examples, self).setUp() # The data for several tests are signed using openssl and are stored in # files in the signing subdirectory. In order to keep the values # consistent between the tests and the signed documents, we read them # in for use in the tests. with open(os.path.join(CMSDIR, 'auth_token_scoped.json')) as f: self.TOKEN_SCOPED_DATA = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_token_scoped.pem')) as f: self.SIGNED_TOKEN_SCOPED = cms.cms_to_token(f.read()) self.SIGNED_TOKEN_SCOPED_HASH = _hash_signed_token_safe( self.SIGNED_TOKEN_SCOPED) self.SIGNED_TOKEN_SCOPED_HASH_SHA256 = _hash_signed_token_safe( self.SIGNED_TOKEN_SCOPED, mode='sha256') with open(os.path.join(CMSDIR, 'auth_token_unscoped.pem')) as f: self.SIGNED_TOKEN_UNSCOPED = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_v3_token_scoped.pem')) as f: self.SIGNED_v3_TOKEN_SCOPED = cms.cms_to_token(f.read()) self.SIGNED_v3_TOKEN_SCOPED_HASH = _hash_signed_token_safe( self.SIGNED_v3_TOKEN_SCOPED) self.SIGNED_v3_TOKEN_SCOPED_HASH_SHA256 = _hash_signed_token_safe( self.SIGNED_v3_TOKEN_SCOPED, mode='sha256') with open(os.path.join(CMSDIR, 'auth_token_revoked.pem')) as f: self.REVOKED_TOKEN = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_token_scoped_expired.pem')) as f: self.SIGNED_TOKEN_SCOPED_EXPIRED = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_v3_token_revoked.pem')) as f: self.REVOKED_v3_TOKEN = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_token_scoped.pkiz')) as f: self.SIGNED_TOKEN_SCOPED_PKIZ = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_token_unscoped.pkiz')) as f: self.SIGNED_TOKEN_UNSCOPED_PKIZ = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_v3_token_scoped.pkiz')) as f: self.SIGNED_v3_TOKEN_SCOPED_PKIZ = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_token_revoked.pkiz')) as f: self.REVOKED_TOKEN_PKIZ = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_token_scoped_expired.pkiz')) as f: self.SIGNED_TOKEN_SCOPED_EXPIRED_PKIZ = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_v3_token_revoked.pkiz')) as f: self.REVOKED_v3_TOKEN_PKIZ = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'revocation_list.json')) as f: self.REVOCATION_LIST = jsonutils.loads(f.read()) with open(os.path.join(CMSDIR, 'revocation_list.pem')) as f: self.SIGNED_REVOCATION_LIST = jsonutils.dumps({'signed': f.read()}) self.SIGNING_CERT_FILE = os.path.join(CERTDIR, 'signing_cert.pem') with open(self.SIGNING_CERT_FILE) as f: self.SIGNING_CERT = f.read() self.KERBEROS_BIND = 'USER@REALM' self.SIGNING_KEY_FILE = os.path.join(KEYDIR, 'signing_key.pem') with open(self.SIGNING_KEY_FILE) as f: self.SIGNING_KEY = f.read() self.SIGNING_CA_FILE = os.path.join(CERTDIR, 'cacert.pem') with open(self.SIGNING_CA_FILE) as f: self.SIGNING_CA = f.read() self.UUID_TOKEN_DEFAULT = "ec6c0710ec2f471498484c1b53ab4f9d" self.UUID_TOKEN_NO_SERVICE_CATALOG = '8286720fbe4941e69fa8241723bb02df' self.UUID_TOKEN_UNSCOPED = '731f903721c14827be7b2dc912af7776' self.UUID_TOKEN_BIND = '3fc54048ad64405c98225ce0897af7c5' self.UUID_TOKEN_UNKNOWN_BIND = '8885fdf4d42e4fb9879e6379fa1eaf48' self.VALID_DIABLO_TOKEN = 'b0cf19b55dbb4f20a6ee18e6c6cf1726' self.v3_UUID_TOKEN_DEFAULT = '5603457654b346fdbb93437bfe76f2f1' self.v3_UUID_TOKEN_UNSCOPED = 'd34835fdaec447e695a0a024d84f8d79' self.v3_UUID_TOKEN_DOMAIN_SCOPED = 'e8a7b63aaa4449f38f0c5c05c3581792' self.v3_UUID_TOKEN_BIND = '2f61f73e1c854cbb9534c487f9bd63c2' self.v3_UUID_TOKEN_UNKNOWN_BIND = '7ed9781b62cd4880b8d8c6788ab1d1e2' revoked_token = self.REVOKED_TOKEN if isinstance(revoked_token, six.text_type): revoked_token = revoked_token.encode('utf-8') self.REVOKED_TOKEN_HASH = utils.hash_signed_token(revoked_token) self.REVOKED_TOKEN_HASH_SHA256 = utils.hash_signed_token(revoked_token, mode='sha256') self.REVOKED_TOKEN_LIST = ( {'revoked': [{'id': self.REVOKED_TOKEN_HASH, 'expires': timeutils.utcnow()}]}) self.REVOKED_TOKEN_LIST_JSON = jsonutils.dumps(self.REVOKED_TOKEN_LIST) revoked_v3_token = self.REVOKED_v3_TOKEN if isinstance(revoked_v3_token, six.text_type): revoked_v3_token = revoked_v3_token.encode('utf-8') self.REVOKED_v3_TOKEN_HASH = utils.hash_signed_token(revoked_v3_token) hash = utils.hash_signed_token(revoked_v3_token, mode='sha256') self.REVOKED_v3_TOKEN_HASH_SHA256 = hash self.REVOKED_v3_TOKEN_LIST = ( {'revoked': [{'id': self.REVOKED_v3_TOKEN_HASH, 'expires': timeutils.utcnow()}]}) self.REVOKED_v3_TOKEN_LIST_JSON = jsonutils.dumps( self.REVOKED_v3_TOKEN_LIST) revoked_token_pkiz = self.REVOKED_TOKEN_PKIZ if isinstance(revoked_token_pkiz, six.text_type): revoked_token_pkiz = revoked_token_pkiz.encode('utf-8') self.REVOKED_TOKEN_PKIZ_HASH = utils.hash_signed_token( revoked_token_pkiz) revoked_v3_token_pkiz = self.REVOKED_v3_TOKEN_PKIZ if isinstance(revoked_v3_token_pkiz, six.text_type): revoked_v3_token_pkiz = revoked_v3_token_pkiz.encode('utf-8') self.REVOKED_v3_PKIZ_TOKEN_HASH = utils.hash_signed_token( revoked_v3_token_pkiz) self.REVOKED_TOKEN_PKIZ_LIST = ( {'revoked': [{'id': self.REVOKED_TOKEN_PKIZ_HASH, 'expires': timeutils.utcnow()}, {'id': self.REVOKED_v3_PKIZ_TOKEN_HASH, 'expires': timeutils.utcnow()}, ]}) self.REVOKED_TOKEN_PKIZ_LIST_JSON = jsonutils.dumps( self.REVOKED_TOKEN_PKIZ_LIST) self.SIGNED_TOKEN_SCOPED_KEY = cms.cms_hash_token( self.SIGNED_TOKEN_SCOPED) self.SIGNED_TOKEN_UNSCOPED_KEY = cms.cms_hash_token( self.SIGNED_TOKEN_UNSCOPED) self.SIGNED_v3_TOKEN_SCOPED_KEY = cms.cms_hash_token( self.SIGNED_v3_TOKEN_SCOPED) self.SIGNED_TOKEN_SCOPED_PKIZ_KEY = cms.cms_hash_token( self.SIGNED_TOKEN_SCOPED_PKIZ) self.SIGNED_TOKEN_UNSCOPED_PKIZ_KEY = cms.cms_hash_token( self.SIGNED_TOKEN_UNSCOPED_PKIZ) self.SIGNED_v3_TOKEN_SCOPED_PKIZ_KEY = cms.cms_hash_token( self.SIGNED_v3_TOKEN_SCOPED_PKIZ) self.INVALID_SIGNED_TOKEN = ( "MIIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC" "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD" "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" "0000000000000000000000000000000000000000000000000000000000000000" "1111111111111111111111111111111111111111111111111111111111111111" "2222222222222222222222222222222222222222222222222222222222222222" "3333333333333333333333333333333333333333333333333333333333333333" "4444444444444444444444444444444444444444444444444444444444444444" "5555555555555555555555555555555555555555555555555555555555555555" "6666666666666666666666666666666666666666666666666666666666666666" "7777777777777777777777777777777777777777777777777777777777777777" "8888888888888888888888888888888888888888888888888888888888888888" "9999999999999999999999999999999999999999999999999999999999999999" "0000000000000000000000000000000000000000000000000000000000000000") self.INVALID_SIGNED_PKIZ_TOKEN = ( "PKIZ_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC" "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD" "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" "0000000000000000000000000000000000000000000000000000000000000000" "1111111111111111111111111111111111111111111111111111111111111111" "2222222222222222222222222222222222222222222222222222222222222222" "3333333333333333333333333333333333333333333333333333333333333333" "4444444444444444444444444444444444444444444444444444444444444444" "5555555555555555555555555555555555555555555555555555555555555555" "6666666666666666666666666666666666666666666666666666666666666666" "7777777777777777777777777777777777777777777777777777777777777777" "8888888888888888888888888888888888888888888888888888888888888888" "9999999999999999999999999999999999999999999999999999999999999999" "0000000000000000000000000000000000000000000000000000000000000000") # JSON responses keyed by token ID self.TOKEN_RESPONSES = { self.UUID_TOKEN_DEFAULT: { 'access': { 'token': { 'id': self.UUID_TOKEN_DEFAULT, 'expires': '2020-01-01T00:00:10.000123Z', 'tenant': { 'id': 'tenant_id1', 'name': 'tenant_name1', }, }, 'user': { 'id': 'user_id1', 'name': 'user_name1', 'roles': [ {'name': 'role1'}, {'name': 'role2'}, ], }, 'serviceCatalog': {} }, }, self.VALID_DIABLO_TOKEN: { 'access': { 'token': { 'id': self.VALID_DIABLO_TOKEN, 'expires': '2020-01-01T00:00:10.000123Z', 'tenantId': 'tenant_id1', }, 'user': { 'id': 'user_id1', 'name': 'user_name1', 'roles': [ {'name': 'role1'}, {'name': 'role2'}, ], }, }, }, self.UUID_TOKEN_UNSCOPED: { 'access': { 'token': { 'id': self.UUID_TOKEN_UNSCOPED, 'expires': '2020-01-01T00:00:10.000123Z', }, 'user': { 'id': 'user_id1', 'name': 'user_name1', 'roles': [ {'name': 'role1'}, {'name': 'role2'}, ], }, }, }, self.UUID_TOKEN_NO_SERVICE_CATALOG: { 'access': { 'token': { 'id': 'valid-token', 'expires': '2020-01-01T00:00:10.000123Z', 'tenant': { 'id': 'tenant_id1', 'name': 'tenant_name1', }, }, 'user': { 'id': 'user_id1', 'name': 'user_name1', 'roles': [ {'name': 'role1'}, {'name': 'role2'}, ], } }, }, self.UUID_TOKEN_BIND: { 'access': { 'token': { 'bind': {'kerberos': self.KERBEROS_BIND}, 'id': self.UUID_TOKEN_BIND, 'expires': '2020-01-01T00:00:10.000123Z', 'tenant': { 'id': 'tenant_id1', 'name': 'tenant_name1', }, }, 'user': { 'id': 'user_id1', 'name': 'user_name1', 'roles': [ {'name': 'role1'}, {'name': 'role2'}, ], }, 'serviceCatalog': {} }, }, self.UUID_TOKEN_UNKNOWN_BIND: { 'access': { 'token': { 'bind': {'FOO': 'BAR'}, 'id': self.UUID_TOKEN_UNKNOWN_BIND, 'expires': '2020-01-01T00:00:10.000123Z', 'tenant': { 'id': 'tenant_id1', 'name': 'tenant_name1', }, }, 'user': { 'id': 'user_id1', 'name': 'user_name1', 'roles': [ {'name': 'role1'}, {'name': 'role2'}, ], }, 'serviceCatalog': {} }, }, self.v3_UUID_TOKEN_DEFAULT: { 'token': { 'expires_at': '2020-01-01T00:00:10.000123Z', 'methods': ['password'], 'user': { 'id': 'user_id1', 'name': 'user_name1', 'domain': { 'id': 'domain_id1', 'name': 'domain_name1' } }, 'project': { 'id': 'tenant_id1', 'name': 'tenant_name1', 'domain': { 'id': 'domain_id1', 'name': 'domain_name1' } }, 'roles': [ {'name': 'role1', 'id': 'Role1'}, {'name': 'role2', 'id': 'Role2'}, ], 'catalog': {} } }, self.v3_UUID_TOKEN_UNSCOPED: { 'token': { 'expires_at': '2020-01-01T00:00:10.000123Z', 'methods': ['password'], 'user': { 'id': 'user_id1', 'name': 'user_name1', 'domain': { 'id': 'domain_id1', 'name': 'domain_name1' } } } }, self.v3_UUID_TOKEN_DOMAIN_SCOPED: { 'token': { 'expires_at': '2020-01-01T00:00:10.000123Z', 'methods': ['password'], 'user': { 'id': 'user_id1', 'name': 'user_name1', 'domain': { 'id': 'domain_id1', 'name': 'domain_name1' } }, 'domain': { 'id': 'domain_id1', 'name': 'domain_name1', }, 'roles': [ {'name': 'role1', 'id': 'Role1'}, {'name': 'role2', 'id': 'Role2'}, ], 'catalog': {} } }, self.SIGNED_TOKEN_SCOPED_KEY: { 'access': { 'token': { 'id': self.SIGNED_TOKEN_SCOPED_KEY, 'expires': '2020-01-01T00:00:10.000123Z', }, 'user': { 'id': 'user_id1', 'name': 'user_name1', 'tenantId': 'tenant_id1', 'tenantName': 'tenant_name1', 'roles': [ {'name': 'role1'}, {'name': 'role2'}, ], }, }, }, self.SIGNED_TOKEN_UNSCOPED_KEY: { 'access': { 'token': { 'id': self.SIGNED_TOKEN_UNSCOPED_KEY, 'expires': '2020-01-01T00:00:10.000123Z', }, 'user': { 'id': 'user_id1', 'name': 'user_name1', 'roles': [ {'name': 'role1'}, {'name': 'role2'}, ], }, }, }, self.SIGNED_v3_TOKEN_SCOPED_KEY: { 'token': { 'expires_at': '2020-01-01T00:00:10.000123Z', 'methods': ['password'], 'user': { 'id': 'user_id1', 'name': 'user_name1', 'domain': { 'id': 'domain_id1', 'name': 'domain_name1' } }, 'project': { 'id': 'tenant_id1', 'name': 'tenant_name1', 'domain': { 'id': 'domain_id1', 'name': 'domain_name1' } }, 'roles': [ {'name': 'role1'}, {'name': 'role2'} ], 'catalog': {} } }, self.v3_UUID_TOKEN_BIND: { 'token': { 'bind': {'kerberos': self.KERBEROS_BIND}, 'methods': ['password'], 'expires_at': '2020-01-01T00:00:10.000123Z', 'user': { 'id': 'user_id1', 'name': 'user_name1', 'domain': { 'id': 'domain_id1', 'name': 'domain_name1' } }, 'project': { 'id': 'tenant_id1', 'name': 'tenant_name1', 'domain': { 'id': 'domain_id1', 'name': 'domain_name1' } }, 'roles': [ {'name': 'role1', 'id': 'Role1'}, {'name': 'role2', 'id': 'Role2'}, ], 'catalog': {} } }, self.v3_UUID_TOKEN_UNKNOWN_BIND: { 'token': { 'bind': {'FOO': 'BAR'}, 'expires_at': '2020-01-01T00:00:10.000123Z', 'methods': ['password'], 'user': { 'id': 'user_id1', 'name': 'user_name1', 'domain': { 'id': 'domain_id1', 'name': 'domain_name1' } }, 'project': { 'id': 'tenant_id1', 'name': 'tenant_name1', 'domain': { 'id': 'domain_id1', 'name': 'domain_name1' } }, 'roles': [ {'name': 'role1', 'id': 'Role1'}, {'name': 'role2', 'id': 'Role2'}, ], 'catalog': {} } }, } self.TOKEN_RESPONSES[self.SIGNED_TOKEN_SCOPED_PKIZ_KEY] = ( self.TOKEN_RESPONSES[self.SIGNED_TOKEN_SCOPED_KEY]) self.TOKEN_RESPONSES[self.SIGNED_TOKEN_UNSCOPED_PKIZ_KEY] = ( self.TOKEN_RESPONSES[self.SIGNED_TOKEN_UNSCOPED_KEY]) self.TOKEN_RESPONSES[self.SIGNED_v3_TOKEN_SCOPED_PKIZ_KEY] = ( self.TOKEN_RESPONSES[self.SIGNED_v3_TOKEN_SCOPED_KEY]) self.JSON_TOKEN_RESPONSES = dict([(k, jsonutils.dumps(v)) for k, v in six.iteritems(self.TOKEN_RESPONSES)])
def _get_cached_token(self, token): token_id = cms.cms_hash_token(token) # NOTE(vish): example tokens are expired so skip the expiration check. return self.middleware._cache_get(token_id, ignore_expires=True)
def setUp(self): super(Examples, self).setUp() # The data for several tests are signed using openssl and are stored in # files in the signing subdirectory. In order to keep the values # consistent between the tests and the signed documents, we read them # in for use in the tests. with open(os.path.join(CMSDIR, 'auth_token_scoped.json')) as f: self.TOKEN_SCOPED_DATA = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_token_scoped.pem')) as f: self.SIGNED_TOKEN_SCOPED = cms.cms_to_token(f.read()) self.SIGNED_TOKEN_SCOPED_HASH = _hash_signed_token_safe( self.SIGNED_TOKEN_SCOPED) self.SIGNED_TOKEN_SCOPED_HASH_SHA256 = _hash_signed_token_safe( self.SIGNED_TOKEN_SCOPED, mode='sha256') with open(os.path.join(CMSDIR, 'auth_token_unscoped.pem')) as f: self.SIGNED_TOKEN_UNSCOPED = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_v3_token_scoped.pem')) as f: self.SIGNED_v3_TOKEN_SCOPED = cms.cms_to_token(f.read()) self.SIGNED_v3_TOKEN_SCOPED_HASH = _hash_signed_token_safe( self.SIGNED_v3_TOKEN_SCOPED) self.SIGNED_v3_TOKEN_SCOPED_HASH_SHA256 = _hash_signed_token_safe( self.SIGNED_v3_TOKEN_SCOPED, mode='sha256') with open(os.path.join(CMSDIR, 'auth_token_revoked.pem')) as f: self.REVOKED_TOKEN = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_token_scoped_expired.pem')) as f: self.SIGNED_TOKEN_SCOPED_EXPIRED = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_v3_token_revoked.pem')) as f: self.REVOKED_v3_TOKEN = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_token_scoped.pkiz')) as f: self.SIGNED_TOKEN_SCOPED_PKIZ = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_token_unscoped.pkiz')) as f: self.SIGNED_TOKEN_UNSCOPED_PKIZ = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_v3_token_scoped.pkiz')) as f: self.SIGNED_v3_TOKEN_SCOPED_PKIZ = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_token_revoked.pkiz')) as f: self.REVOKED_TOKEN_PKIZ = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_token_scoped_expired.pkiz')) as f: self.SIGNED_TOKEN_SCOPED_EXPIRED_PKIZ = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_v3_token_revoked.pkiz')) as f: self.REVOKED_v3_TOKEN_PKIZ = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'revocation_list.json')) as f: self.REVOCATION_LIST = jsonutils.loads(f.read()) with open(os.path.join(CMSDIR, 'revocation_list.pem')) as f: self.SIGNED_REVOCATION_LIST = jsonutils.dumps({'signed': f.read()}) self.SIGNING_CERT_FILE = os.path.join(CERTDIR, 'signing_cert.pem') with open(self.SIGNING_CERT_FILE) as f: self.SIGNING_CERT = f.read() self.KERBEROS_BIND = 'USER@REALM' self.SERVICE_KERBEROS_BIND = 'SERVICE_USER@SERVICE_REALM' self.SIGNING_KEY_FILE = os.path.join(KEYDIR, 'signing_key.pem') with open(self.SIGNING_KEY_FILE) as f: self.SIGNING_KEY = f.read() self.SIGNING_CA_FILE = os.path.join(CERTDIR, 'cacert.pem') with open(self.SIGNING_CA_FILE) as f: self.SIGNING_CA = f.read() self.UUID_TOKEN_DEFAULT = "ec6c0710ec2f471498484c1b53ab4f9d" self.UUID_TOKEN_NO_SERVICE_CATALOG = '8286720fbe4941e69fa8241723bb02df' self.UUID_TOKEN_UNSCOPED = '731f903721c14827be7b2dc912af7776' self.UUID_TOKEN_BIND = '3fc54048ad64405c98225ce0897af7c5' self.UUID_TOKEN_UNKNOWN_BIND = '8885fdf4d42e4fb9879e6379fa1eaf48' self.VALID_DIABLO_TOKEN = 'b0cf19b55dbb4f20a6ee18e6c6cf1726' self.v3_UUID_TOKEN_DEFAULT = '5603457654b346fdbb93437bfe76f2f1' self.v3_UUID_TOKEN_UNSCOPED = 'd34835fdaec447e695a0a024d84f8d79' self.v3_UUID_TOKEN_DOMAIN_SCOPED = 'e8a7b63aaa4449f38f0c5c05c3581792' self.v3_UUID_TOKEN_BIND = '2f61f73e1c854cbb9534c487f9bd63c2' self.v3_UUID_TOKEN_UNKNOWN_BIND = '7ed9781b62cd4880b8d8c6788ab1d1e2' self.UUID_SERVICE_TOKEN_DEFAULT = 'fe4c0710ec2f492748596c1b53ab124' self.UUID_SERVICE_TOKEN_BIND = '5e43439613d34a13a7e03b2762bd08ab' self.v3_UUID_SERVICE_TOKEN_DEFAULT = 'g431071bbc2f492748596c1b53cb229' self.v3_UUID_SERVICE_TOKEN_BIND = 'be705e4426d0449a89e35ae21c380a05' self.v3_NOT_IS_ADMIN_PROJECT = uuid.uuid4().hex revoked_token = self.REVOKED_TOKEN if isinstance(revoked_token, six.text_type): revoked_token = revoked_token.encode('utf-8') self.REVOKED_TOKEN_HASH = utils.hash_signed_token(revoked_token) self.REVOKED_TOKEN_HASH_SHA256 = utils.hash_signed_token(revoked_token, mode='sha256') self.REVOKED_TOKEN_LIST = ( {'revoked': [{'id': self.REVOKED_TOKEN_HASH, 'expires': timeutils.utcnow()}]}) self.REVOKED_TOKEN_LIST_JSON = jsonutils.dumps(self.REVOKED_TOKEN_LIST) revoked_v3_token = self.REVOKED_v3_TOKEN if isinstance(revoked_v3_token, six.text_type): revoked_v3_token = revoked_v3_token.encode('utf-8') self.REVOKED_v3_TOKEN_HASH = utils.hash_signed_token(revoked_v3_token) hash = utils.hash_signed_token(revoked_v3_token, mode='sha256') self.REVOKED_v3_TOKEN_HASH_SHA256 = hash self.REVOKED_v3_TOKEN_LIST = ( {'revoked': [{'id': self.REVOKED_v3_TOKEN_HASH, 'expires': timeutils.utcnow()}]}) self.REVOKED_v3_TOKEN_LIST_JSON = jsonutils.dumps( self.REVOKED_v3_TOKEN_LIST) revoked_token_pkiz = self.REVOKED_TOKEN_PKIZ if isinstance(revoked_token_pkiz, six.text_type): revoked_token_pkiz = revoked_token_pkiz.encode('utf-8') self.REVOKED_TOKEN_PKIZ_HASH = utils.hash_signed_token( revoked_token_pkiz) revoked_v3_token_pkiz = self.REVOKED_v3_TOKEN_PKIZ if isinstance(revoked_v3_token_pkiz, six.text_type): revoked_v3_token_pkiz = revoked_v3_token_pkiz.encode('utf-8') self.REVOKED_v3_PKIZ_TOKEN_HASH = utils.hash_signed_token( revoked_v3_token_pkiz) self.REVOKED_TOKEN_PKIZ_LIST = ( {'revoked': [{'id': self.REVOKED_TOKEN_PKIZ_HASH, 'expires': timeutils.utcnow()}, {'id': self.REVOKED_v3_PKIZ_TOKEN_HASH, 'expires': timeutils.utcnow()}, ]}) self.REVOKED_TOKEN_PKIZ_LIST_JSON = jsonutils.dumps( self.REVOKED_TOKEN_PKIZ_LIST) self.SIGNED_TOKEN_SCOPED_KEY = cms.cms_hash_token( self.SIGNED_TOKEN_SCOPED) self.SIGNED_TOKEN_UNSCOPED_KEY = cms.cms_hash_token( self.SIGNED_TOKEN_UNSCOPED) self.SIGNED_v3_TOKEN_SCOPED_KEY = cms.cms_hash_token( self.SIGNED_v3_TOKEN_SCOPED) self.SIGNED_TOKEN_SCOPED_PKIZ_KEY = cms.cms_hash_token( self.SIGNED_TOKEN_SCOPED_PKIZ) self.SIGNED_TOKEN_UNSCOPED_PKIZ_KEY = cms.cms_hash_token( self.SIGNED_TOKEN_UNSCOPED_PKIZ) self.SIGNED_v3_TOKEN_SCOPED_PKIZ_KEY = cms.cms_hash_token( self.SIGNED_v3_TOKEN_SCOPED_PKIZ) self.INVALID_SIGNED_TOKEN = ( "MIIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC" "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD" "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" "0000000000000000000000000000000000000000000000000000000000000000" "1111111111111111111111111111111111111111111111111111111111111111" "2222222222222222222222222222222222222222222222222222222222222222" "3333333333333333333333333333333333333333333333333333333333333333" "4444444444444444444444444444444444444444444444444444444444444444" "5555555555555555555555555555555555555555555555555555555555555555" "6666666666666666666666666666666666666666666666666666666666666666" "7777777777777777777777777777777777777777777777777777777777777777" "8888888888888888888888888888888888888888888888888888888888888888" "9999999999999999999999999999999999999999999999999999999999999999" "0000000000000000000000000000000000000000000000000000000000000000") self.INVALID_SIGNED_PKIZ_TOKEN = ( "PKIZ_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC" "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD" "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" "0000000000000000000000000000000000000000000000000000000000000000" "1111111111111111111111111111111111111111111111111111111111111111" "2222222222222222222222222222222222222222222222222222222222222222" "3333333333333333333333333333333333333333333333333333333333333333" "4444444444444444444444444444444444444444444444444444444444444444" "5555555555555555555555555555555555555555555555555555555555555555" "6666666666666666666666666666666666666666666666666666666666666666" "7777777777777777777777777777777777777777777777777777777777777777" "8888888888888888888888888888888888888888888888888888888888888888" "9999999999999999999999999999999999999999999999999999999999999999" "0000000000000000000000000000000000000000000000000000000000000000") # JSON responses keyed by token ID self.TOKEN_RESPONSES = {} # basic values PROJECT_ID = 'tenant_id1' PROJECT_NAME = 'tenant_name1' USER_ID = 'user_id1' USER_NAME = 'user_name1' DOMAIN_ID = 'domain_id1' DOMAIN_NAME = 'domain_name1' ROLE_NAME1 = 'role1' ROLE_NAME2 = 'role2' SERVICE_PROJECT_ID = 'service_project_id1' SERVICE_PROJECT_NAME = 'service_project_name1' SERVICE_USER_ID = 'service_user_id1' SERVICE_USER_NAME = 'service_user_name1' SERVICE_DOMAIN_ID = 'service_domain_id1' SERVICE_DOMAIN_NAME = 'service_domain_name1' SERVICE_ROLE_NAME1 = 'service_role1' SERVICE_ROLE_NAME2 = 'service_role2' self.SERVICE_TYPE = 'identity' self.UNVERSIONED_SERVICE_URL = 'http://keystone.server:5000/' self.SERVICE_URL = self.UNVERSIONED_SERVICE_URL + 'v2.0' # Old Tokens self.TOKEN_RESPONSES[self.VALID_DIABLO_TOKEN] = { 'access': { 'token': { 'id': self.VALID_DIABLO_TOKEN, 'expires': '2020-01-01T00:00:10.000123Z', 'tenantId': PROJECT_ID, }, 'user': { 'id': USER_ID, 'name': USER_NAME, 'roles': [ {'name': ROLE_NAME1}, {'name': ROLE_NAME2}, ], }, }, } # Generated V2 Tokens token = fixture.V2Token(token_id=self.UUID_TOKEN_DEFAULT, tenant_id=PROJECT_ID, tenant_name=PROJECT_NAME, user_id=USER_ID, user_name=USER_NAME) token.add_role(name=ROLE_NAME1) token.add_role(name=ROLE_NAME2) svc = token.add_service(self.SERVICE_TYPE) svc.add_endpoint(public=self.SERVICE_URL) self.TOKEN_RESPONSES[self.UUID_TOKEN_DEFAULT] = token token = fixture.V2Token(token_id=self.UUID_TOKEN_UNSCOPED, user_id=USER_ID, user_name=USER_NAME) self.TOKEN_RESPONSES[self.UUID_TOKEN_UNSCOPED] = token token = fixture.V2Token(token_id='valid-token', tenant_id=PROJECT_ID, tenant_name=PROJECT_NAME, user_id=USER_ID, user_name=USER_NAME) token.add_role(ROLE_NAME1) token.add_role(ROLE_NAME2) self.TOKEN_RESPONSES[self.UUID_TOKEN_NO_SERVICE_CATALOG] = token token = fixture.V2Token(token_id=self.SIGNED_TOKEN_SCOPED_KEY, tenant_id=PROJECT_ID, tenant_name=PROJECT_NAME, user_id=USER_ID, user_name=USER_NAME) token.add_role(ROLE_NAME1) token.add_role(ROLE_NAME2) self.TOKEN_RESPONSES[self.SIGNED_TOKEN_SCOPED_KEY] = token token = fixture.V2Token(token_id=self.SIGNED_TOKEN_UNSCOPED_KEY, user_id=USER_ID, user_name=USER_NAME) self.TOKEN_RESPONSES[self.SIGNED_TOKEN_UNSCOPED_KEY] = token token = fixture.V2Token(token_id=self.UUID_TOKEN_BIND, tenant_id=PROJECT_ID, tenant_name=PROJECT_NAME, user_id=USER_ID, user_name=USER_NAME) token.add_role(ROLE_NAME1) token.add_role(ROLE_NAME2) token['access']['token']['bind'] = {'kerberos': self.KERBEROS_BIND} self.TOKEN_RESPONSES[self.UUID_TOKEN_BIND] = token token = fixture.V2Token(token_id=self.UUID_SERVICE_TOKEN_BIND, tenant_id=SERVICE_PROJECT_ID, tenant_name=SERVICE_PROJECT_NAME, user_id=SERVICE_USER_ID, user_name=SERVICE_USER_NAME) token.add_role(SERVICE_ROLE_NAME1) token.add_role(SERVICE_ROLE_NAME2) token['access']['token']['bind'] = { 'kerberos': self.SERVICE_KERBEROS_BIND} self.TOKEN_RESPONSES[self.UUID_SERVICE_TOKEN_BIND] = token token = fixture.V2Token(token_id=self.UUID_TOKEN_UNKNOWN_BIND, tenant_id=PROJECT_ID, tenant_name=PROJECT_NAME, user_id=USER_ID, user_name=USER_NAME) token.add_role(ROLE_NAME1) token.add_role(ROLE_NAME2) token['access']['token']['bind'] = {'FOO': 'BAR'} self.TOKEN_RESPONSES[self.UUID_TOKEN_UNKNOWN_BIND] = token token = fixture.V2Token(token_id=self.UUID_SERVICE_TOKEN_DEFAULT, tenant_id=SERVICE_PROJECT_ID, tenant_name=SERVICE_PROJECT_NAME, user_id=SERVICE_USER_ID, user_name=SERVICE_USER_NAME) token.add_role(name=SERVICE_ROLE_NAME1) token.add_role(name=SERVICE_ROLE_NAME2) svc = token.add_service(self.SERVICE_TYPE) svc.add_endpoint(public=self.SERVICE_URL) self.TOKEN_RESPONSES[self.UUID_SERVICE_TOKEN_DEFAULT] = token # Generated V3 Tokens token = fixture.V3Token(user_id=USER_ID, user_name=USER_NAME, user_domain_id=DOMAIN_ID, user_domain_name=DOMAIN_NAME, project_id=PROJECT_ID, project_name=PROJECT_NAME, project_domain_id=DOMAIN_ID, project_domain_name=DOMAIN_NAME) token.add_role(id=ROLE_NAME1, name=ROLE_NAME1) token.add_role(id=ROLE_NAME2, name=ROLE_NAME2) svc = token.add_service(self.SERVICE_TYPE) svc.add_endpoint('public', self.SERVICE_URL) self.TOKEN_RESPONSES[self.v3_UUID_TOKEN_DEFAULT] = token token = fixture.V3Token(user_id=USER_ID, user_name=USER_NAME, user_domain_id=DOMAIN_ID, user_domain_name=DOMAIN_NAME) self.TOKEN_RESPONSES[self.v3_UUID_TOKEN_UNSCOPED] = token token = fixture.V3Token(user_id=USER_ID, user_name=USER_NAME, user_domain_id=DOMAIN_ID, user_domain_name=DOMAIN_NAME, domain_id=DOMAIN_ID, domain_name=DOMAIN_NAME) token.add_role(id=ROLE_NAME1, name=ROLE_NAME1) token.add_role(id=ROLE_NAME2, name=ROLE_NAME2) svc = token.add_service(self.SERVICE_TYPE) svc.add_endpoint('public', self.SERVICE_URL) self.TOKEN_RESPONSES[self.v3_UUID_TOKEN_DOMAIN_SCOPED] = token token = fixture.V3Token(user_id=USER_ID, user_name=USER_NAME, user_domain_id=DOMAIN_ID, user_domain_name=DOMAIN_NAME, project_id=PROJECT_ID, project_name=PROJECT_NAME, project_domain_id=DOMAIN_ID, project_domain_name=DOMAIN_NAME) token.add_role(name=ROLE_NAME1) token.add_role(name=ROLE_NAME2) svc = token.add_service(self.SERVICE_TYPE) svc.add_endpoint('public', self.SERVICE_URL) self.TOKEN_RESPONSES[self.SIGNED_v3_TOKEN_SCOPED_KEY] = token token = fixture.V3Token(user_id=USER_ID, user_name=USER_NAME, user_domain_id=DOMAIN_ID, user_domain_name=DOMAIN_NAME, project_id=PROJECT_ID, project_name=PROJECT_NAME, project_domain_id=DOMAIN_ID, project_domain_name=DOMAIN_NAME) token.add_role(name=ROLE_NAME1) token.add_role(name=ROLE_NAME2) svc = token.add_service(self.SERVICE_TYPE) svc.add_endpoint('public', self.SERVICE_URL) token['token']['bind'] = {'kerberos': self.KERBEROS_BIND} self.TOKEN_RESPONSES[self.v3_UUID_TOKEN_BIND] = token token = fixture.V3Token(user_id=SERVICE_USER_ID, user_name=SERVICE_USER_NAME, user_domain_id=SERVICE_DOMAIN_ID, user_domain_name=SERVICE_DOMAIN_NAME, project_id=SERVICE_PROJECT_ID, project_name=SERVICE_PROJECT_NAME, project_domain_id=SERVICE_DOMAIN_ID, project_domain_name=SERVICE_DOMAIN_NAME) token.add_role(name=SERVICE_ROLE_NAME1) token.add_role(name=SERVICE_ROLE_NAME2) svc = token.add_service(self.SERVICE_TYPE) svc.add_endpoint('public', self.SERVICE_URL) token['token']['bind'] = {'kerberos': self.SERVICE_KERBEROS_BIND} self.TOKEN_RESPONSES[self.v3_UUID_SERVICE_TOKEN_BIND] = token token = fixture.V3Token(user_id=USER_ID, user_name=USER_NAME, user_domain_id=DOMAIN_ID, user_domain_name=DOMAIN_NAME, project_id=PROJECT_ID, project_name=PROJECT_NAME, project_domain_id=DOMAIN_ID, project_domain_name=DOMAIN_NAME) token.add_role(name=ROLE_NAME1) token.add_role(name=ROLE_NAME2) svc = token.add_service(self.SERVICE_TYPE) svc.add_endpoint('public', self.SERVICE_URL) token['token']['bind'] = {'FOO': 'BAR'} self.TOKEN_RESPONSES[self.v3_UUID_TOKEN_UNKNOWN_BIND] = token token = fixture.V3Token(user_id=SERVICE_USER_ID, user_name=SERVICE_USER_NAME, user_domain_id=SERVICE_DOMAIN_ID, user_domain_name=SERVICE_DOMAIN_NAME, project_id=SERVICE_PROJECT_ID, project_name=SERVICE_PROJECT_NAME, project_domain_id=SERVICE_DOMAIN_ID, project_domain_name=SERVICE_DOMAIN_NAME) token.add_role(id=SERVICE_ROLE_NAME1, name=SERVICE_ROLE_NAME1) token.add_role(id=SERVICE_ROLE_NAME2, name=SERVICE_ROLE_NAME2) svc = token.add_service(self.SERVICE_TYPE) svc.add_endpoint('public', self.SERVICE_URL) self.TOKEN_RESPONSES[self.v3_UUID_SERVICE_TOKEN_DEFAULT] = token token = fixture.V3Token(user_id=USER_ID, user_name=USER_NAME, user_domain_id=DOMAIN_ID, user_domain_name=DOMAIN_NAME, project_id=PROJECT_ID, project_name=PROJECT_NAME, project_domain_id=DOMAIN_ID, project_domain_name=DOMAIN_NAME, is_admin_project=False) token.add_role(name=ROLE_NAME1) token.add_role(name=ROLE_NAME2) svc = token.add_service(self.SERVICE_TYPE) svc.add_endpoint('public', self.SERVICE_URL) self.TOKEN_RESPONSES[self.v3_NOT_IS_ADMIN_PROJECT] = token # PKIZ tokens generally link to above tokens self.TOKEN_RESPONSES[self.SIGNED_TOKEN_SCOPED_PKIZ_KEY] = ( self.TOKEN_RESPONSES[self.SIGNED_TOKEN_SCOPED_KEY]) self.TOKEN_RESPONSES[self.SIGNED_TOKEN_UNSCOPED_PKIZ_KEY] = ( self.TOKEN_RESPONSES[self.SIGNED_TOKEN_UNSCOPED_KEY]) self.TOKEN_RESPONSES[self.SIGNED_v3_TOKEN_SCOPED_PKIZ_KEY] = ( self.TOKEN_RESPONSES[self.SIGNED_v3_TOKEN_SCOPED_KEY]) self.JSON_TOKEN_RESPONSES = dict([(k, jsonutils.dumps(v)) for k, v in six.iteritems(self.TOKEN_RESPONSES)])
def _get_cached_token(self, token): token_id = cms.cms_hash_token(token) # NOTE(vish): example tokens are expired so skip the expiration check. key = self.middleware._get_cache_key(token_id) cached = self.middleware._cache.get(key) return self.middleware._unprotect_cache_value(token, cached)
def setUp(self): super(Examples, self).setUp() # The data for several tests are signed using openssl and are stored in # files in the signing subdirectory. In order to keep the values # consistent between the tests and the signed documents, we read them # in for use in the tests. with open(os.path.join(CMSDIR, 'auth_token_scoped.json')) as f: self.TOKEN_SCOPED_DATA = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_token_scoped.pem')) as f: self.SIGNED_TOKEN_SCOPED = cms.cms_to_token(f.read()) self.SIGNED_TOKEN_SCOPED_HASH = _hash_signed_token_safe( self.SIGNED_TOKEN_SCOPED) self.SIGNED_TOKEN_SCOPED_HASH_SHA256 = _hash_signed_token_safe( self.SIGNED_TOKEN_SCOPED, mode='sha256') with open(os.path.join(CMSDIR, 'auth_token_unscoped.pem')) as f: self.SIGNED_TOKEN_UNSCOPED = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_v3_token_scoped.pem')) as f: self.SIGNED_v3_TOKEN_SCOPED = cms.cms_to_token(f.read()) self.SIGNED_v3_TOKEN_SCOPED_HASH = _hash_signed_token_safe( self.SIGNED_v3_TOKEN_SCOPED) self.SIGNED_v3_TOKEN_SCOPED_HASH_SHA256 = _hash_signed_token_safe( self.SIGNED_v3_TOKEN_SCOPED, mode='sha256') with open(os.path.join(CMSDIR, 'auth_token_revoked.pem')) as f: self.REVOKED_TOKEN = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_token_scoped_expired.pem')) as f: self.SIGNED_TOKEN_SCOPED_EXPIRED = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_v3_token_revoked.pem')) as f: self.REVOKED_v3_TOKEN = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_token_scoped.pkiz')) as f: self.SIGNED_TOKEN_SCOPED_PKIZ = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_token_unscoped.pkiz')) as f: self.SIGNED_TOKEN_UNSCOPED_PKIZ = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_v3_token_scoped.pkiz')) as f: self.SIGNED_v3_TOKEN_SCOPED_PKIZ = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_token_revoked.pkiz')) as f: self.REVOKED_TOKEN_PKIZ = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_token_scoped_expired.pkiz')) as f: self.SIGNED_TOKEN_SCOPED_EXPIRED_PKIZ = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'auth_v3_token_revoked.pkiz')) as f: self.REVOKED_v3_TOKEN_PKIZ = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, 'revocation_list.json')) as f: self.REVOCATION_LIST = jsonutils.loads(f.read()) with open(os.path.join(CMSDIR, 'revocation_list.pem')) as f: self.SIGNED_REVOCATION_LIST = jsonutils.dumps({'signed': f.read()}) self.SIGNING_CERT_FILE = os.path.join(CERTDIR, 'signing_cert.pem') with open(self.SIGNING_CERT_FILE) as f: self.SIGNING_CERT = f.read() self.KERBEROS_BIND = 'USER@REALM' self.SIGNING_KEY_FILE = os.path.join(KEYDIR, 'signing_key.pem') with open(self.SIGNING_KEY_FILE) as f: self.SIGNING_KEY = f.read() self.SIGNING_CA_FILE = os.path.join(CERTDIR, 'cacert.pem') with open(self.SIGNING_CA_FILE) as f: self.SIGNING_CA = f.read() self.UUID_TOKEN_DEFAULT = "ec6c0710ec2f471498484c1b53ab4f9d" self.UUID_TOKEN_NO_SERVICE_CATALOG = '8286720fbe4941e69fa8241723bb02df' self.UUID_TOKEN_UNSCOPED = '731f903721c14827be7b2dc912af7776' self.UUID_TOKEN_BIND = '3fc54048ad64405c98225ce0897af7c5' self.UUID_TOKEN_UNKNOWN_BIND = '8885fdf4d42e4fb9879e6379fa1eaf48' self.VALID_DIABLO_TOKEN = 'b0cf19b55dbb4f20a6ee18e6c6cf1726' self.v3_UUID_TOKEN_DEFAULT = '5603457654b346fdbb93437bfe76f2f1' self.v3_UUID_TOKEN_UNSCOPED = 'd34835fdaec447e695a0a024d84f8d79' self.v3_UUID_TOKEN_DOMAIN_SCOPED = 'e8a7b63aaa4449f38f0c5c05c3581792' self.v3_UUID_TOKEN_BIND = '2f61f73e1c854cbb9534c487f9bd63c2' self.v3_UUID_TOKEN_UNKNOWN_BIND = '7ed9781b62cd4880b8d8c6788ab1d1e2' self.UUID_SERVICE_TOKEN_DEFAULT = 'fe4c0710ec2f492748596c1b53ab124' self.v3_UUID_SERVICE_TOKEN_DEFAULT = 'g431071bbc2f492748596c1b53cb229' revoked_token = self.REVOKED_TOKEN if isinstance(revoked_token, six.text_type): revoked_token = revoked_token.encode('utf-8') self.REVOKED_TOKEN_HASH = utils.hash_signed_token(revoked_token) self.REVOKED_TOKEN_HASH_SHA256 = utils.hash_signed_token(revoked_token, mode='sha256') self.REVOKED_TOKEN_LIST = ( {'revoked': [{'id': self.REVOKED_TOKEN_HASH, 'expires': timeutils.utcnow()}]}) self.REVOKED_TOKEN_LIST_JSON = jsonutils.dumps(self.REVOKED_TOKEN_LIST) revoked_v3_token = self.REVOKED_v3_TOKEN if isinstance(revoked_v3_token, six.text_type): revoked_v3_token = revoked_v3_token.encode('utf-8') self.REVOKED_v3_TOKEN_HASH = utils.hash_signed_token(revoked_v3_token) hash = utils.hash_signed_token(revoked_v3_token, mode='sha256') self.REVOKED_v3_TOKEN_HASH_SHA256 = hash self.REVOKED_v3_TOKEN_LIST = ( {'revoked': [{'id': self.REVOKED_v3_TOKEN_HASH, 'expires': timeutils.utcnow()}]}) self.REVOKED_v3_TOKEN_LIST_JSON = jsonutils.dumps( self.REVOKED_v3_TOKEN_LIST) revoked_token_pkiz = self.REVOKED_TOKEN_PKIZ if isinstance(revoked_token_pkiz, six.text_type): revoked_token_pkiz = revoked_token_pkiz.encode('utf-8') self.REVOKED_TOKEN_PKIZ_HASH = utils.hash_signed_token( revoked_token_pkiz) revoked_v3_token_pkiz = self.REVOKED_v3_TOKEN_PKIZ if isinstance(revoked_v3_token_pkiz, six.text_type): revoked_v3_token_pkiz = revoked_v3_token_pkiz.encode('utf-8') self.REVOKED_v3_PKIZ_TOKEN_HASH = utils.hash_signed_token( revoked_v3_token_pkiz) self.REVOKED_TOKEN_PKIZ_LIST = ( {'revoked': [{'id': self.REVOKED_TOKEN_PKIZ_HASH, 'expires': timeutils.utcnow()}, {'id': self.REVOKED_v3_PKIZ_TOKEN_HASH, 'expires': timeutils.utcnow()}, ]}) self.REVOKED_TOKEN_PKIZ_LIST_JSON = jsonutils.dumps( self.REVOKED_TOKEN_PKIZ_LIST) self.SIGNED_TOKEN_SCOPED_KEY = cms.cms_hash_token( self.SIGNED_TOKEN_SCOPED) self.SIGNED_TOKEN_UNSCOPED_KEY = cms.cms_hash_token( self.SIGNED_TOKEN_UNSCOPED) self.SIGNED_v3_TOKEN_SCOPED_KEY = cms.cms_hash_token( self.SIGNED_v3_TOKEN_SCOPED) self.SIGNED_TOKEN_SCOPED_PKIZ_KEY = cms.cms_hash_token( self.SIGNED_TOKEN_SCOPED_PKIZ) self.SIGNED_TOKEN_UNSCOPED_PKIZ_KEY = cms.cms_hash_token( self.SIGNED_TOKEN_UNSCOPED_PKIZ) self.SIGNED_v3_TOKEN_SCOPED_PKIZ_KEY = cms.cms_hash_token( self.SIGNED_v3_TOKEN_SCOPED_PKIZ) self.INVALID_SIGNED_TOKEN = ( "MIIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC" "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD" "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" "0000000000000000000000000000000000000000000000000000000000000000" "1111111111111111111111111111111111111111111111111111111111111111" "2222222222222222222222222222222222222222222222222222222222222222" "3333333333333333333333333333333333333333333333333333333333333333" "4444444444444444444444444444444444444444444444444444444444444444" "5555555555555555555555555555555555555555555555555555555555555555" "6666666666666666666666666666666666666666666666666666666666666666" "7777777777777777777777777777777777777777777777777777777777777777" "8888888888888888888888888888888888888888888888888888888888888888" "9999999999999999999999999999999999999999999999999999999999999999" "0000000000000000000000000000000000000000000000000000000000000000") self.INVALID_SIGNED_PKIZ_TOKEN = ( "PKIZ_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC" "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD" "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" "0000000000000000000000000000000000000000000000000000000000000000" "1111111111111111111111111111111111111111111111111111111111111111" "2222222222222222222222222222222222222222222222222222222222222222" "3333333333333333333333333333333333333333333333333333333333333333" "4444444444444444444444444444444444444444444444444444444444444444" "5555555555555555555555555555555555555555555555555555555555555555" "6666666666666666666666666666666666666666666666666666666666666666" "7777777777777777777777777777777777777777777777777777777777777777" "8888888888888888888888888888888888888888888888888888888888888888" "9999999999999999999999999999999999999999999999999999999999999999" "0000000000000000000000000000000000000000000000000000000000000000") # JSON responses keyed by token ID self.TOKEN_RESPONSES = {} # basic values PROJECT_ID = 'tenant_id1' PROJECT_NAME = 'tenant_name1' USER_ID = 'user_id1' USER_NAME = 'user_name1' DOMAIN_ID = 'domain_id1' DOMAIN_NAME = 'domain_name1' ROLE_NAME1 = 'role1' ROLE_NAME2 = 'role2' SERVICE_PROJECT_ID = 'service_project_id1' SERVICE_PROJECT_NAME = 'service_project_name1' SERVICE_USER_ID = 'service_user_id1' SERVICE_USER_NAME = 'service_user_name1' SERVICE_DOMAIN_ID = 'service_domain_id1' SERVICE_DOMAIN_NAME = 'service_domain_name1' SERVICE_ROLE_NAME1 = 'service_role1' SERVICE_ROLE_NAME2 = 'service_role2' self.SERVICE_TYPE = 'identity' self.UNVERSIONED_SERVICE_URL = 'http://keystone.server:5000/' self.SERVICE_URL = self.UNVERSIONED_SERVICE_URL + 'v2.0' # Old Tokens self.TOKEN_RESPONSES[self.VALID_DIABLO_TOKEN] = { 'access': { 'token': { 'id': self.VALID_DIABLO_TOKEN, 'expires': '2020-01-01T00:00:10.000123Z', 'tenantId': PROJECT_ID, }, 'user': { 'id': USER_ID, 'name': USER_NAME, 'roles': [ {'name': ROLE_NAME1}, {'name': ROLE_NAME2}, ], }, }, } # Generated V2 Tokens token = fixture.V2Token(token_id=self.UUID_TOKEN_DEFAULT, tenant_id=PROJECT_ID, tenant_name=PROJECT_NAME, user_id=USER_ID, user_name=USER_NAME) token.add_role(name=ROLE_NAME1) token.add_role(name=ROLE_NAME2) svc = token.add_service(self.SERVICE_TYPE) svc.add_endpoint(public=self.SERVICE_URL) self.TOKEN_RESPONSES[self.UUID_TOKEN_DEFAULT] = token token = fixture.V2Token(token_id=self.UUID_TOKEN_UNSCOPED, user_id=USER_ID, user_name=USER_NAME) self.TOKEN_RESPONSES[self.UUID_TOKEN_UNSCOPED] = token token = fixture.V2Token(token_id='valid-token', tenant_id=PROJECT_ID, tenant_name=PROJECT_NAME, user_id=USER_ID, user_name=USER_NAME) token.add_role(ROLE_NAME1) token.add_role(ROLE_NAME2) self.TOKEN_RESPONSES[self.UUID_TOKEN_NO_SERVICE_CATALOG] = token token = fixture.V2Token(token_id=self.SIGNED_TOKEN_SCOPED_KEY, tenant_id=PROJECT_ID, tenant_name=PROJECT_NAME, user_id=USER_ID, user_name=USER_NAME) token.add_role(ROLE_NAME1) token.add_role(ROLE_NAME2) self.TOKEN_RESPONSES[self.SIGNED_TOKEN_SCOPED_KEY] = token token = fixture.V2Token(token_id=self.SIGNED_TOKEN_UNSCOPED_KEY, user_id=USER_ID, user_name=USER_NAME) self.TOKEN_RESPONSES[self.SIGNED_TOKEN_UNSCOPED_KEY] = token token = fixture.V2Token(token_id=self.UUID_TOKEN_BIND, tenant_id=PROJECT_ID, tenant_name=PROJECT_NAME, user_id=USER_ID, user_name=USER_NAME) token.add_role(ROLE_NAME1) token.add_role(ROLE_NAME2) token['access']['token']['bind'] = {'kerberos': self.KERBEROS_BIND} self.TOKEN_RESPONSES[self.UUID_TOKEN_BIND] = token token = fixture.V2Token(token_id=self.UUID_TOKEN_UNKNOWN_BIND, tenant_id=PROJECT_ID, tenant_name=PROJECT_NAME, user_id=USER_ID, user_name=USER_NAME) token.add_role(ROLE_NAME1) token.add_role(ROLE_NAME2) token['access']['token']['bind'] = {'FOO': 'BAR'} self.TOKEN_RESPONSES[self.UUID_TOKEN_UNKNOWN_BIND] = token token = fixture.V2Token(token_id=self.UUID_SERVICE_TOKEN_DEFAULT, tenant_id=SERVICE_PROJECT_ID, tenant_name=SERVICE_PROJECT_NAME, user_id=SERVICE_USER_ID, user_name=SERVICE_USER_NAME) token.add_role(name=SERVICE_ROLE_NAME1) token.add_role(name=SERVICE_ROLE_NAME2) svc = token.add_service(self.SERVICE_TYPE) svc.add_endpoint(public=self.SERVICE_URL) self.TOKEN_RESPONSES[self.UUID_SERVICE_TOKEN_DEFAULT] = token # Generated V3 Tokens token = fixture.V3Token(user_id=USER_ID, user_name=USER_NAME, user_domain_id=DOMAIN_ID, user_domain_name=DOMAIN_NAME, project_id=PROJECT_ID, project_name=PROJECT_NAME, project_domain_id=DOMAIN_ID, project_domain_name=DOMAIN_NAME) token.add_role(id=ROLE_NAME1, name=ROLE_NAME1) token.add_role(id=ROLE_NAME2, name=ROLE_NAME2) svc = token.add_service(self.SERVICE_TYPE) svc.add_endpoint('public', self.SERVICE_URL) self.TOKEN_RESPONSES[self.v3_UUID_TOKEN_DEFAULT] = token token = fixture.V3Token(user_id=USER_ID, user_name=USER_NAME, user_domain_id=DOMAIN_ID, user_domain_name=DOMAIN_NAME) self.TOKEN_RESPONSES[self.v3_UUID_TOKEN_UNSCOPED] = token token = fixture.V3Token(user_id=USER_ID, user_name=USER_NAME, user_domain_id=DOMAIN_ID, user_domain_name=DOMAIN_NAME, domain_id=DOMAIN_ID, domain_name=DOMAIN_NAME) token.add_role(id=ROLE_NAME1, name=ROLE_NAME1) token.add_role(id=ROLE_NAME2, name=ROLE_NAME2) svc = token.add_service(self.SERVICE_TYPE) svc.add_endpoint('public', self.SERVICE_URL) self.TOKEN_RESPONSES[self.v3_UUID_TOKEN_DOMAIN_SCOPED] = token token = fixture.V3Token(user_id=USER_ID, user_name=USER_NAME, user_domain_id=DOMAIN_ID, user_domain_name=DOMAIN_NAME, project_id=PROJECT_ID, project_name=PROJECT_NAME, project_domain_id=DOMAIN_ID, project_domain_name=DOMAIN_NAME) token.add_role(name=ROLE_NAME1) token.add_role(name=ROLE_NAME2) svc = token.add_service(self.SERVICE_TYPE) svc.add_endpoint('public', self.SERVICE_URL) self.TOKEN_RESPONSES[self.SIGNED_v3_TOKEN_SCOPED_KEY] = token token = fixture.V3Token(user_id=USER_ID, user_name=USER_NAME, user_domain_id=DOMAIN_ID, user_domain_name=DOMAIN_NAME, project_id=PROJECT_ID, project_name=PROJECT_NAME, project_domain_id=DOMAIN_ID, project_domain_name=DOMAIN_NAME) token.add_role(name=ROLE_NAME1) token.add_role(name=ROLE_NAME2) svc = token.add_service(self.SERVICE_TYPE) svc.add_endpoint('public', self.SERVICE_URL) token['token']['bind'] = {'kerberos': self.KERBEROS_BIND} self.TOKEN_RESPONSES[self.v3_UUID_TOKEN_BIND] = token token = fixture.V3Token(user_id=USER_ID, user_name=USER_NAME, user_domain_id=DOMAIN_ID, user_domain_name=DOMAIN_NAME, project_id=PROJECT_ID, project_name=PROJECT_NAME, project_domain_id=DOMAIN_ID, project_domain_name=DOMAIN_NAME) token.add_role(name=ROLE_NAME1) token.add_role(name=ROLE_NAME2) svc = token.add_service(self.SERVICE_TYPE) svc.add_endpoint('public', self.SERVICE_URL) token['token']['bind'] = {'FOO': 'BAR'} self.TOKEN_RESPONSES[self.v3_UUID_TOKEN_UNKNOWN_BIND] = token token = fixture.V3Token(user_id=SERVICE_USER_ID, user_name=SERVICE_USER_NAME, user_domain_id=SERVICE_DOMAIN_ID, user_domain_name=SERVICE_DOMAIN_NAME, project_id=SERVICE_PROJECT_ID, project_name=SERVICE_PROJECT_NAME, project_domain_id=SERVICE_DOMAIN_ID, project_domain_name=SERVICE_DOMAIN_NAME) token.add_role(id=SERVICE_ROLE_NAME1, name=SERVICE_ROLE_NAME1) token.add_role(id=SERVICE_ROLE_NAME2, name=SERVICE_ROLE_NAME2) svc = token.add_service(self.SERVICE_TYPE) svc.add_endpoint('public', self.SERVICE_URL) self.TOKEN_RESPONSES[self.v3_UUID_SERVICE_TOKEN_DEFAULT] = token # PKIZ tokens generally link to above tokens self.TOKEN_RESPONSES[self.SIGNED_TOKEN_SCOPED_PKIZ_KEY] = ( self.TOKEN_RESPONSES[self.SIGNED_TOKEN_SCOPED_KEY]) self.TOKEN_RESPONSES[self.SIGNED_TOKEN_UNSCOPED_PKIZ_KEY] = ( self.TOKEN_RESPONSES[self.SIGNED_TOKEN_UNSCOPED_KEY]) self.TOKEN_RESPONSES[self.SIGNED_v3_TOKEN_SCOPED_PKIZ_KEY] = ( self.TOKEN_RESPONSES[self.SIGNED_v3_TOKEN_SCOPED_KEY]) self.JSON_TOKEN_RESPONSES = dict([(k, jsonutils.dumps(v)) for k, v in six.iteritems(self.TOKEN_RESPONSES)])
UUID_TOKEN_NO_SERVICE_CATALOG = "8286720fbe4941e69fa8241723bb02df" UUID_TOKEN_UNSCOPED = "731f903721c14827be7b2dc912af7776" VALID_DIABLO_TOKEN = "b0cf19b55dbb4f20a6ee18e6c6cf1726" v3_UUID_TOKEN_DEFAULT = "5603457654b346fdbb93437bfe76f2f1" v3_UUID_TOKEN_UNSCOPED = "d34835fdaec447e695a0a024d84f8d79" v3_UUID_TOKEN_DOMAIN_SCOPED = "e8a7b63aaa4449f38f0c5c05c3581792" REVOKED_TOKEN_HASH = utils.hash_signed_token(REVOKED_TOKEN) REVOKED_TOKEN_LIST = {"revoked": [{"id": REVOKED_TOKEN_HASH, "expires": timeutils.utcnow()}]} REVOKED_TOKEN_LIST_JSON = jsonutils.dumps(REVOKED_TOKEN_LIST) REVOKED_v3_TOKEN_HASH = utils.hash_signed_token(REVOKED_v3_TOKEN) REVOKED_v3_TOKEN_LIST = {"revoked": [{"id": REVOKED_v3_TOKEN_HASH, "expires": timeutils.utcnow()}]} REVOKED_v3_TOKEN_LIST_JSON = jsonutils.dumps(REVOKED_v3_TOKEN_LIST) SIGNED_TOKEN_SCOPED_KEY = cms.cms_hash_token(SIGNED_TOKEN_SCOPED) SIGNED_TOKEN_UNSCOPED_KEY = cms.cms_hash_token(SIGNED_TOKEN_UNSCOPED) SIGNED_v3_TOKEN_SCOPED_KEY = cms.cms_hash_token(SIGNED_v3_TOKEN_SCOPED) INVALID_SIGNED_TOKEN = ( "MIIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC" "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD" "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" "0000000000000000000000000000000000000000000000000000000000000000" "1111111111111111111111111111111111111111111111111111111111111111" "2222222222222222222222222222222222222222222222222222222222222222" "3333333333333333333333333333333333333333333333333333333333333333" "4444444444444444444444444444444444444444444444444444444444444444"
def setUp(self): super(Examples, self).setUp() # The data for several tests are signed using openssl and are stored in # files in the signing subdirectory. In order to keep the values # consistent between the tests and the signed documents, we read them # in for use in the tests. with open(os.path.join(CMSDIR, "auth_token_scoped.pem")) as f: self.SIGNED_TOKEN_SCOPED = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, "auth_token_unscoped.pem")) as f: self.SIGNED_TOKEN_UNSCOPED = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, "auth_v3_token_scoped.pem")) as f: self.SIGNED_v3_TOKEN_SCOPED = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, "auth_token_revoked.pem")) as f: self.REVOKED_TOKEN = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, "auth_token_scoped_expired.pem")) as f: self.SIGNED_TOKEN_SCOPED_EXPIRED = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, "auth_v3_token_revoked.pem")) as f: self.REVOKED_v3_TOKEN = cms.cms_to_token(f.read()) with open(os.path.join(CMSDIR, "revocation_list.json")) as f: self.REVOCATION_LIST = jsonutils.loads(f.read()) with open(os.path.join(CMSDIR, "revocation_list.pem")) as f: self.SIGNED_REVOCATION_LIST = jsonutils.dumps({"signed": f.read()}) self.SIGNING_CERT_FILE = os.path.join(CERTDIR, "signing_cert.pem") with open(self.SIGNING_CERT_FILE) as f: self.SIGNING_CERT = f.read() self.KERBEROS_BIND = "USER@REALM" self.SIGNING_KEY_FILE = os.path.join(KEYDIR, "signing_key.pem") with open(self.SIGNING_KEY_FILE) as f: self.SIGNING_KEY = f.read() self.SIGNING_CA_FILE = os.path.join(CERTDIR, "cacert.pem") with open(self.SIGNING_CA_FILE) as f: self.SIGNING_CA = f.read() self.UUID_TOKEN_DEFAULT = "ec6c0710ec2f471498484c1b53ab4f9d" self.UUID_TOKEN_NO_SERVICE_CATALOG = "8286720fbe4941e69fa8241723bb02df" self.UUID_TOKEN_UNSCOPED = "731f903721c14827be7b2dc912af7776" self.UUID_TOKEN_BIND = "3fc54048ad64405c98225ce0897af7c5" self.UUID_TOKEN_UNKNOWN_BIND = "8885fdf4d42e4fb9879e6379fa1eaf48" self.VALID_DIABLO_TOKEN = "b0cf19b55dbb4f20a6ee18e6c6cf1726" self.v3_UUID_TOKEN_DEFAULT = "5603457654b346fdbb93437bfe76f2f1" self.v3_UUID_TOKEN_UNSCOPED = "d34835fdaec447e695a0a024d84f8d79" self.v3_UUID_TOKEN_DOMAIN_SCOPED = "e8a7b63aaa4449f38f0c5c05c3581792" self.v3_UUID_TOKEN_BIND = "2f61f73e1c854cbb9534c487f9bd63c2" self.v3_UUID_TOKEN_UNKNOWN_BIND = "7ed9781b62cd4880b8d8c6788ab1d1e2" revoked_token = self.REVOKED_TOKEN if isinstance(revoked_token, six.text_type): revoked_token = revoked_token.encode("utf-8") self.REVOKED_TOKEN_HASH = utils.hash_signed_token(revoked_token) self.REVOKED_TOKEN_LIST = {"revoked": [{"id": self.REVOKED_TOKEN_HASH, "expires": timeutils.utcnow()}]} self.REVOKED_TOKEN_LIST_JSON = jsonutils.dumps(self.REVOKED_TOKEN_LIST) revoked_v3_token = self.REVOKED_v3_TOKEN if isinstance(revoked_v3_token, six.text_type): revoked_v3_token = revoked_v3_token.encode("utf-8") self.REVOKED_v3_TOKEN_HASH = utils.hash_signed_token(revoked_v3_token) self.REVOKED_v3_TOKEN_LIST = {"revoked": [{"id": self.REVOKED_v3_TOKEN_HASH, "expires": timeutils.utcnow()}]} self.REVOKED_v3_TOKEN_LIST_JSON = jsonutils.dumps(self.REVOKED_v3_TOKEN_LIST) self.SIGNED_TOKEN_SCOPED_KEY = cms.cms_hash_token(self.SIGNED_TOKEN_SCOPED) self.SIGNED_TOKEN_UNSCOPED_KEY = cms.cms_hash_token(self.SIGNED_TOKEN_UNSCOPED) self.SIGNED_v3_TOKEN_SCOPED_KEY = cms.cms_hash_token(self.SIGNED_v3_TOKEN_SCOPED) self.INVALID_SIGNED_TOKEN = ( "MIIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC" "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD" "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" "0000000000000000000000000000000000000000000000000000000000000000" "1111111111111111111111111111111111111111111111111111111111111111" "2222222222222222222222222222222222222222222222222222222222222222" "3333333333333333333333333333333333333333333333333333333333333333" "4444444444444444444444444444444444444444444444444444444444444444" "5555555555555555555555555555555555555555555555555555555555555555" "6666666666666666666666666666666666666666666666666666666666666666" "7777777777777777777777777777777777777777777777777777777777777777" "8888888888888888888888888888888888888888888888888888888888888888" "9999999999999999999999999999999999999999999999999999999999999999" "0000000000000000000000000000000000000000000000000000000000000000" ) # JSON responses keyed by token ID self.TOKEN_RESPONSES = { self.UUID_TOKEN_DEFAULT: { "access": { "token": { "id": self.UUID_TOKEN_DEFAULT, "expires": "2020-01-01T00:00:10.000123Z", "tenant": {"id": "tenant_id1", "name": "tenant_name1"}, }, "user": {"id": "user_id1", "name": "user_name1", "roles": [{"name": "role1"}, {"name": "role2"}]}, "serviceCatalog": {}, } }, self.VALID_DIABLO_TOKEN: { "access": { "token": { "id": self.VALID_DIABLO_TOKEN, "expires": "2020-01-01T00:00:10.000123Z", "tenantId": "tenant_id1", }, "user": {"id": "user_id1", "name": "user_name1", "roles": [{"name": "role1"}, {"name": "role2"}]}, } }, self.UUID_TOKEN_UNSCOPED: { "access": { "token": {"id": self.UUID_TOKEN_UNSCOPED, "expires": "2020-01-01T00:00:10.000123Z"}, "user": {"id": "user_id1", "name": "user_name1", "roles": [{"name": "role1"}, {"name": "role2"}]}, } }, self.UUID_TOKEN_NO_SERVICE_CATALOG: { "access": { "token": { "id": "valid-token", "expires": "2020-01-01T00:00:10.000123Z", "tenant": {"id": "tenant_id1", "name": "tenant_name1"}, }, "user": {"id": "user_id1", "name": "user_name1", "roles": [{"name": "role1"}, {"name": "role2"}]}, } }, self.UUID_TOKEN_BIND: { "access": { "token": { "bind": {"kerberos": self.KERBEROS_BIND}, "id": self.UUID_TOKEN_BIND, "expires": "2020-01-01T00:00:10.000123Z", "tenant": {"id": "tenant_id1", "name": "tenant_name1"}, }, "user": {"id": "user_id1", "name": "user_name1", "roles": [{"name": "role1"}, {"name": "role2"}]}, "serviceCatalog": {}, } }, self.UUID_TOKEN_UNKNOWN_BIND: { "access": { "token": { "bind": {"FOO": "BAR"}, "id": self.UUID_TOKEN_UNKNOWN_BIND, "expires": "2020-01-01T00:00:10.000123Z", "tenant": {"id": "tenant_id1", "name": "tenant_name1"}, }, "user": {"id": "user_id1", "name": "user_name1", "roles": [{"name": "role1"}, {"name": "role2"}]}, "serviceCatalog": {}, } }, self.v3_UUID_TOKEN_DEFAULT: { "token": { "expires_at": "2020-01-01T00:00:10.000123Z", "user": { "id": "user_id1", "name": "user_name1", "domain": {"id": "domain_id1", "name": "domain_name1"}, }, "project": { "id": "tenant_id1", "name": "tenant_name1", "domain": {"id": "domain_id1", "name": "domain_name1"}, }, "roles": [{"name": "role1", "id": "Role1"}, {"name": "role2", "id": "Role2"}], "catalog": {}, } }, self.v3_UUID_TOKEN_UNSCOPED: { "token": { "expires_at": "2020-01-01T00:00:10.000123Z", "user": { "id": "user_id1", "name": "user_name1", "domain": {"id": "domain_id1", "name": "domain_name1"}, }, } }, self.v3_UUID_TOKEN_DOMAIN_SCOPED: { "token": { "expires_at": "2020-01-01T00:00:10.000123Z", "user": { "id": "user_id1", "name": "user_name1", "domain": {"id": "domain_id1", "name": "domain_name1"}, }, "domain": {"id": "domain_id1", "name": "domain_name1"}, "roles": [{"name": "role1", "id": "Role1"}, {"name": "role2", "id": "Role2"}], "catalog": {}, } }, self.SIGNED_TOKEN_SCOPED_KEY: { "access": { "token": {"id": self.SIGNED_TOKEN_SCOPED_KEY}, "user": { "id": "user_id1", "name": "user_name1", "tenantId": "tenant_id1", "tenantName": "tenant_name1", "roles": [{"name": "role1"}, {"name": "role2"}], }, } }, self.SIGNED_TOKEN_UNSCOPED_KEY: { "access": { "token": {"id": self.SIGNED_TOKEN_UNSCOPED_KEY}, "user": {"id": "user_id1", "name": "user_name1", "roles": [{"name": "role1"}, {"name": "role2"}]}, } }, self.SIGNED_v3_TOKEN_SCOPED_KEY: { "token": { "expires": "2020-01-01T00:00:10.000123Z", "user": { "id": "user_id1", "name": "user_name1", "domain": {"id": "domain_id1", "name": "domain_name1"}, }, "project": { "id": "tenant_id1", "name": "tenant_name1", "domain": {"id": "domain_id1", "name": "domain_name1"}, }, "roles": [{"name": "role1"}, {"name": "role2"}], "catalog": {}, } }, self.v3_UUID_TOKEN_BIND: { "token": { "bind": {"kerberos": self.KERBEROS_BIND}, "expires_at": "2020-01-01T00:00:10.000123Z", "user": { "id": "user_id1", "name": "user_name1", "domain": {"id": "domain_id1", "name": "domain_name1"}, }, "project": { "id": "tenant_id1", "name": "tenant_name1", "domain": {"id": "domain_id1", "name": "domain_name1"}, }, "roles": [{"name": "role1", "id": "Role1"}, {"name": "role2", "id": "Role2"}], "catalog": {}, } }, self.v3_UUID_TOKEN_UNKNOWN_BIND: { "token": { "bind": {"FOO": "BAR"}, "expires_at": "2020-01-01T00:00:10.000123Z", "user": { "id": "user_id1", "name": "user_name1", "domain": {"id": "domain_id1", "name": "domain_name1"}, }, "project": { "id": "tenant_id1", "name": "tenant_name1", "domain": {"id": "domain_id1", "name": "domain_name1"}, }, "roles": [{"name": "role1", "id": "Role1"}, {"name": "role2", "id": "Role2"}], "catalog": {}, } }, } self.JSON_TOKEN_RESPONSES = dict([(k, jsonutils.dumps(v)) for k, v in six.iteritems(self.TOKEN_RESPONSES)])